Skip to main content

Privacy Policy

Last updated: June 12, 2026

This Privacy Policy explains how Techsolid Automation Limited ("we", "us", "our") collects, uses, and protects information when you use rungs.dev, learn.rungs.dev, and studio.rungs.dev (the "Service").

Who we are

Techsolid Automation Limited is a private limited company registered in Ireland. We act as the data controller for personal data processed through the Service.

What we collect

Account and identity data

The Service uses Supabase (EU region, Ireland) to sign you in and to remember your progress across devices.

  • Anonymous session. When you first visit, we silently create an anonymous Supabase user so that your work can be saved. No name, email, or password is collected at this point. The anonymous user is identified only by a randomly generated UUID stored in a cookie on the .rungs.dev domain.
  • Permanent account (optional). If you click "Sign in" and complete Google or GitHub OAuth, we receive your email address and the provider's user identifier from that provider, and we store those in our Supabase auth system together with a Supabase UUID. Signing in is optional and is only required to keep progress across devices and to upgrade an anonymous session.
  • Anonymous-to-permanent merge. When you sign in after solving exercises anonymously, we run a one-shot server-side function (merge_exercise_progress) that moves your anonymous exercise progress rows onto your new permanent account in a single transaction. The emptied anonymous account is later removed by our retention cron, along with other inactive anonymous accounts (see below).

Exercise progress

When you run tests in an exercise on studio.rungs.dev, we upload the following to Supabase:

  • The exercise slug
  • Your AOI snapshot (tags, routines, tests) for that exercise
  • Counts of how many tests passed
  • Pass / not-pass state and timestamps
  • Which language(s) you have solved the exercise in

This data is stored in the exercise_progress table and is bound to your Supabase user UUID (anonymous or permanent). It powers the resume-across-devices feature and the progress chips on learn.rungs.dev. Row-Level Security prevents other users from reading your rows; our team may read exercise snapshots only to investigate and fix Service or exercise issues.

To produce aggregate dashboards (counts of started and completed exercises per day, active learners), we sync a subset of exercise_progress to PostHog's EU Data Warehouse: exercise slug, status, attempt counts, timestamps, and which language(s) you solved in. Your AOI snapshot — the actual code you write — is never synced to PostHog. The sync runs through a least-privilege Postgres role that physically cannot read the snapshot column.

Purchases (Learn Plus)

If you buy a Plus access pass on learn.rungs.dev, checkout is operated by Paddle, our merchant of record. Paddle collects the data needed to process the order — name, email address, billing country, payment details, and tax information — and acts as an independent data controller for that data under its own privacy policy.

We never see or store your payment card details. After a successful purchase we receive and store, linked to your account: the product purchased, the Paddle transaction identifier, and the purchase and expiry timestamps. We use this only to unlock paid exercises for your account and to handle refunds or support requests.

Analytics data

We use PostHog (EU instance, eu.i.posthog.com) to understand how the Service is used. PostHog may collect:

  • Usage events — actions such as creating, importing, exporting, and sharing AOIs; starting simulations and tests; editing sessions; opening exercises; running tests; experiment exposures
  • Device and browser information — browser type, operating system, screen size, and technical identifiers
  • Page views and navigation — which pages you visit and how you move through the Service
  • Error and performance data — exceptions and timing metrics to help us improve reliability

Analytics data is processed in the European Union via PostHog's EU infrastructure. While most of the Service does not require account registration, analytics and service providers may still process online identifiers and similar technical data.

We measure usage in one of two ways, depending on your cookie choice. If you accept analytics cookies, we use cookie-based analytics that can recognise you across visits. If you decline, or have not yet chosen, we fall back to cookieless measurement: a privacy-preserving identifier is generated on our analytics provider's servers, sets no cookie on your device, is not stored as a persistent identifier, and does not build a personal profile. This lets us count visitors and overall usage without tracking you individually.

Bot-detection data

We use Cloudflare Turnstile in invisible mode to defend the anonymous sign-in endpoint from automated abuse. Turnstile collects browser signals (IP address, user-agent, JavaScript fingerprints, mouse and timing patterns) and returns a short-lived token that we forward to Supabase. We do not see the underlying signals; we only see the pass/fail outcome.

Cookies

We use strictly necessary cookies for sign-in (Supabase auth tokens on .rungs.dev), bot defence (Cloudflare Turnstile), and share-link tracking. We use analytics cookies for PostHog (visitor and session identifiers) and Algolia (recent searches on the docs site). Analytics cookies are not set unless you Accept on our cookie banner; we do not capture session recordings. If you decline, see "Analytics data" for how we still measure usage without cookies. A browser Do Not Track signal is treated the same as declining.

You can change your choice at any time using the Cookie settings link in the footer of this site, or by clearing your browser's cookies for .rungs.dev. Blocking strictly-necessary cookies will break sign-in.

Search (Docs Site)

The documentation site at rungs.dev uses Algolia for search. Algolia processes your search queries to return results. Do not include personal or sensitive information in search queries.

Relay AI Assistant

Relay is the AI tutor available in Studio's right sidebar (the Relay tab). When you send a message to Relay, the following are sent from your browser to our studio-assist server and forwarded to a third-party large language model provider:

  • The text of your message and prior turns in the current chat thread
  • Your current Studio context: the tags and ladder/structured text code in the AOI you have open at that turn, which tab (Tags, Logic, Tests, Trend) is active, the current studio mode (user / example / exercise), and any visible compiler diagnostics
  • Optional thumbs up / thumbs down feedback you give on a reply

The model provider processes your prompt to generate a reply and returns it through our server. We do not include AOIs you have not opened, AOIs from other Studio sessions, your other localStorage drafts, or your test results unless they are part of the active context above.

We capture each Relay turn in PostHog LLM Analytics (EU instance). For every turn we store: the prompt, the model reply, the model name, token counts, latency, an anonymous session identifier, the studio mode, and any feedback you provide. We use these traces to evaluate Relay quality, debug bugs, and improve the system prompt and underlying documentation. Individual turns may be read by our team when investigating issues.

Do not paste secrets, credentials, customer data, or proprietary code into Relay.

Relay is currently free during an early-access period. Paid AI features may be introduced later; if so, payment information will be handled by a third-party processor and this policy will be updated.

Communications

If you have a permanent account (you signed in with Google or GitHub, so we hold your email address), we may email you for the following purposes:

  • Service messages. Operational notices such as material changes to these terms or this policy, security notices, account or data-retention warnings, and responses to requests you send us. These are necessary to operate the Service and are sent on the basis of our legitimate interest; you cannot opt out of them while you hold an account, though you can close the account at any time.
  • Feedback requests. Occasional, low-frequency messages asking about your experience with the Service so we can improve it. Every such message includes a one-click unsubscribe link, and unsubscribing stops all future feedback and product-update emails without affecting your account or service messages.
  • Product updates and similar (optional). If we introduce newsletters or product-announcement emails, we will send them only to users who have explicitly opted in, and every message will include a one-click unsubscribe link.

Anonymous sessions have no email address and are never emailed. We do not sell or share your email address with third parties for their own marketing.

What we do not collect

  • No name or email unless you sign in. Anonymous sessions are identified by a random UUID only. Email is received only after you complete Google or GitHub OAuth, and only because the provider includes it in the OAuth response.
  • No project data from outside exercises. AOI projects you build outside the exercise flow (the user-mode editor, the library, file imports) stay in your browser's localStorage and are never uploaded — unless you choose to use the Share feature, in which case the AOI you select is uploaded as described under "AOI Sharing" below.
  • No payment card details. Checkout for paid access is handled entirely by Paddle as merchant of record. We receive only transaction metadata — product, transaction identifier, and timestamps — never your card number or full billing details (see "Purchases (Learn Plus)").

AOI Sharing

When you use the optional Share feature, the AOI data you choose to share is uploaded to our database (hosted on Supabase, EU region) and made publicly accessible via a link. Shared AOIs are:

  • Public — anyone with the link can view and fork the shared AOI
  • Anonymous — shares are not linked to any user identity
  • Size-limited — maximum 100 KB per shared AOI
  • Rate-limited — to prevent abuse

You can share AOIs at your discretion. Do not share AOIs containing proprietary or confidential logic.

Shared AOIs may be used to operate, secure, and improve the Service, including developing, evaluating, and training machine learning and AI features. This applies only to AOIs you choose to share, not to AOIs stored locally in your browser or saved as exercise snapshots in your private exercise_progress rows.

Data Storage and Retention

DataLocationRetention
Non-exercise AOI projectsYour browser (localStorage)Until you clear browser data
Shared AOIsSupabase (EU, Ireland)Indefinitely, or until we remove inactive shares
Exercise progress (snapshots, pass state)Supabase (EU, Ireland)Until you delete your account; anonymous accounts and their rows are pruned automatically after 180 days of inactivity
Supabase user recordSupabase (EU, Ireland)Permanent accounts retained until you request deletion; anonymous accounts pruned automatically after 180 days of inactivity
Purchase records (entitlements)Supabase (EU, Ireland)Until you delete your account; Paddle retains the underlying transaction records under its own policy
Analytics dataPostHog EUPer PostHog's data retention policy
Relay prompts and repliesPostHog EU (LLM Analytics)Per PostHog's data retention policy
Relay prompts (model provider)Third-party LLM providerPer the current provider's data retention policy
Turnstile signalsCloudflarePer Cloudflare's Privacy Policy

Lawful basis for processing

We rely on legitimate interest for operating the editor, anonymous sign-in, bot defence, exercise progress storage, anonymous cookieless usage measurement, and sending service and feedback messages to signed-in users; on performance of your request for sign-in via Google or GitHub, for processing your purchase and granting the resulting access pass, and for each Relay message you send; and on your consent — given via the cookie banner, the sign-in panel, each Share action, or by opting in to optional product-update emails — for cookie-based product analytics, for AOIs you choose to share publicly, and for any optional marketing or newsletter communications.

Third-Party Services

ServicePurposeRegionPrivacy Policy
SupabaseAuth, exercise progress, and AOI sharing storageEU (Ireland, eu-west-1)supabase.com/privacy
Cloudflare TurnstileInvisible bot detection on the anonymous sign-in endpointGlobal, with EU presencecloudflare.com/privacypolicy
GoogleOAuth identity provider when you sign in with GoogleUS (transfer covered by EU SCCs)policies.google.com/privacy
GitHubOAuth identity provider when you sign in with GitHubUS (transfer covered by EU SCCs)docs.github.com/site-policy/privacy-policies
PaddleMerchant of record — checkout, payment, tax, receiptsUK/EU (independent data controller)paddle.com/legal/privacy
PostHogProduct analytics and LLM analyticsEUposthog.com/privacy
Large language model providerGenerates Relay AI assistant repliesSee the "Current AI Model Provider" sectionThe current provider is listed at the bottom of this page; we may change providers without re-issuing this policy
AlgoliaDocumentation searchEU/USalgolia.com/policies/privacy
VercelHosting and CDNEU edge for delivery; account metadata in USvercel.com/legal/privacy-policy

For processors located outside the EEA (Cloudflare, Google, GitHub, the Relay AI model provider, Vercel account metadata, parts of Algolia) we rely on the European Commission's Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.

Your Rights

If you are in the EU/EEA, you have rights under GDPR including the right to access, rectify, port, restrict, object to the processing of, and erase your personal data, and the right to lodge a complaint with a supervisory authority. Our supervisory authority is the Irish Data Protection Commission (dataprotection.ie).

You can:

  • Clear local data at any time by clearing your browser's localStorage and cookies for studio.rungs.dev and learn.rungs.dev. This signs you out and removes the cached anonymous session reference.
  • Opt out of cookie-based analytics by declining our cookie banner — we then set no analytics cookies and measure usage only anonymously, without cookies or a personal profile (see "Analytics data"). To stop all analytics, including this cookieless measurement, block our analytics provider with an extension such as uBlock Origin or Privacy Badger. Neither affects Relay traces, which are sent server-side only when you submit a message (see below).
  • Stop sending Relay traces by not using the Relay assistant. Each Relay turn is sent only when you submit a message.
  • Request data deletion or access by emailing privacy@rungs.dev. We will respond within one month. For anonymous accounts, we will need a copy of the .rungs.dev cookie value (or you can ask us to delete by anonymous UUID) so we can identify the rows to remove.

For anonymous accounts specifically: there is no email to identify you by, so we can act on a deletion request only if you give us your anonymous UUID — which lives solely in the .rungs.dev cookie on your device. To have your data deleted, send us that UUID (or the cookie value) before you clear the cookie; once it is gone, neither you nor we can tell which rows are yours. Any anonymous account not identified this way is removed automatically after 180 days of inactivity.

Children's Privacy

The Service is not directed at children under 16. We do not knowingly collect information from children. If you believe a child has signed up, contact us at privacy@rungs.dev and we will delete the account.

Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date.

Contact

For privacy questions or data requests, contact us at:

Techsolid Automation Limited Email: privacy@rungs.dev

Current AI Model Provider

As of the "Last updated" date above, the third-party large language model provider used by Relay is Google (Gemini) — see policies.google.com/privacy. We may change providers at our discretion; the current provider will be reflected here.